The European Commission has adopted two adequacy decisions for the United Kingdom - one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. This means that personal data can now flow freely from the European Union to the United Kingdom where it benefits from an equivalent level of protection to that guaranteed under EU law.
The adequacy decisions facilitate implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on research collaborations. However, both adequacy decisions include safeguards in case of future divergence, including time limiting the duration of adequacy to four years.
The key points from the adequacy decisions include:
-
The UK's data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU, meaning that the UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
-
For the first time, the adequacy decisions include a so-called ‘sunset clause', meaning that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection which the Commission will continue to review.
The adequacy decision can be found at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
